b'July 30, 2009\n\nROSS PHILO\nVICE PRESIDENT, CHIEF INFORMATION OFFICER\n\nROBERT J. PEDERSEN\nTREASURER\n\nSUBJECT: Audit Report \xe2\x80\x93 Disaster Recovery Capabilities of the\n         Enterprise Payment Switch (Report Number IS-AR-09-009)\n\nThis report presents the results of our audit of the disaster recovery capabilities of the\nEnterprise Payment Switch (Project Number 09RG012IS000). This is the last in a\nseries of reports issued in response to the October 2005 Value Proposition Agreement\nbetween the U.S. Postal Service and the U.S. Postal Service Office of Inspector\nGeneral (OIG). The OIG audits focused on evaluating the security of the Enterprise\nPayment Switch solution to verify that routing and storage of customer information are\nsecure within the Postal Service systems. The objective of this audit was to determine\nwhether disaster recovery capabilities of the Enterprise Payment Switch are in place\nand effective. See Appendix A for additional information about this audit.\n\nConclusion\n\nOverall, the disaster recovery capabilities of the Enterprise Payment Switch are in\nplace. However, management can improve its ability to recover the Enterprise Payment\nSwitch by fulfilling requirements consistent with Postal Service policy, developing a\ncomprehensive application disaster recovery plan (ADRP), and performing full\noperational recovery testing. If management does not address these weaknesses, it\ncannot assure recovery of the Enterprise Payment Switch in the event of a catastrophic\ndisaster, which could affect the Postal Service brand. We will report the non-monetary\nimpact (preserving the integrity of the Postal Service brand) in our Semiannual Report\nto Congress.\n\x0cDisaster Recovery Capabilities of the                                                          IS-AR-09-009\n Enterprise Payment Switch\n\n\n\nDisaster Recovery Plan\n\nThe Postal Service does not have a comprehensive ADRP in place for the Enterprise\nPayment Switch as required.1 This occurred because Business Continuance\nManagement (BCM) accepted the testing strategy document as the disaster recovery\nplan to reduce the documentation burden on the development community. In addition,\nmanagement did not provide an ADRP template for the development community to use\nas a guide. A comprehensive ADRP2 increases management\xe2\x80\x99s ability to recover the\napplication in the event of a catastrophic disaster. See Appendix B for our detailed\nanalysis of this issue.\n\nWe recommend the Manager, Information Technology Computing Services, direct the\nManager, Business Continuance Management, to:\n\n1. Develop an application disaster recovery plan template and make it available to the\n   development community.\n\nWe recommend the Manager, Business Continuance Management, and the Program\nManager, Enterprise Payment Switch, collaborate to:\n\n2. Create a comprehensive application disaster recovery plan for the Enterprise\n   Payment Switch solution.\n\nManagement\xe2\x80\x99s Comments\n\nManagement agreed with the recommendations, but did not comment on the non-\nmonetary impact (preserving the integrity of the Postal Service brand).\n\nIn response to recommendation 1, management stated that the current Handbook AS-\n 805 (dated June 30, 2009) does not require the use of a template or ADRP testing.\nThe Manager, BCM, will review and update the handbook to reflect new documentation\nrequirements and make it available to the development community. The targeted date\nfor completion is December 1, 2009.\n\nIn response to recommendation 2, management stated the Manager, BCM, would use\nthe former ADRP template to update the Enterprise Payment Switch solution. The\ntargeted date for completion is September 1, 2009. See Appendix C for management\xe2\x80\x99s\ncomments in their entirety.\n\n\n1\n   Handbook AS-805, Information Security, dated March 2002 (updated with Postal Bulletin revisions through\nNovember 23, 2006). Management released a new version of the handbook on June 30, 2009, that significantly\nreduced the level of disaster recovery requirements.\n2\n  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxx.\n\n\n\n\n                                                     2\n\x0cDisaster Recovery Capabilities of the                                         IS-AR-09-009\n Enterprise Payment Switch\n\n\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nThe OIG considers management\xe2\x80\x99s comments responsive to the recommendations and\nthe corrective actions should resolve the issues identified in the report.\n\nFull Operational Recovery Testing\n\nManagement did not conduct a full operational recovery test for the Enterprise Payment\nSwitch. Although they performed initial Enterprise Payment Switch testing,\nmanagement delayed full operational recovery testing until after the developers\nimplemented xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxx. Without comprehensive operational recovery testing, management risks delays\nin xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx should disaster recovery become\nnecessary. xxxxxxxxxxxxxxxxxxx could create customer dissatisfaction and negatively\naffect the Postal Service brand. See Appendix B for our detailed analysis of this issue.\n\nCorrective Action Taken\n\nManagement performed a full operational recovery test of the Enterprise Payment\nSwitch between April 29 and May 6, 2009 that included tests of the xxxxxxxxxxxxx\nxxxxxxxxxxxx. We verified management\xe2\x80\x99s actions during the audit; therefore, we are\nnot making a recommendation regarding this issue.\n\nThe OIG considers recommendation 2 significant, and therefore requires OIG\nconcurrence before closure. Consequently, the OIG requests written confirmation when\ncorrective actions are completed. The recommendation should not be closed in the\nPostal Service\xe2\x80\x99s follow-up tracking system until the OIG provides written confirmation\nthat the recommendation can be closed. We will report the non-monetary impact\n(preserving the integrity of the Postal Service brand) in our Semiannual Report to\nCongress.\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Frances E. Cain, Director,\nInformation Technology, or me at (703) 248-2100.\n\n\n    E-Signed by Darrell E. Benjamin, Jr\n    VERIFY authenticity with ApproveIt\n\nDarrell E. Benjamin, Jr.\nDeputy Assistant Inspector General\n for Revenue and Systems\n\n\n\n\n                                           3\n\x0cDisaster Recovery Capabilities of the       IS-AR-09-009\n Enterprise Payment Switch\n\n\nAttachments\n\ncc: Robert J. Wolter\n    George W. Wright\n    Charles L. McGann\n    Katherine S. Banks\n    William P. Harris\n\n\n\n\n                                        4\n\x0cDisaster Recovery Capabilities of the                                                               IS-AR-09-009\n Enterprise Payment Switch\n\n\n                           APPENDIX A: ADDITIONAL INFORMATION\n\nBACKGROUND\n\nIn calendar year 2008, the Postal Service processed more than 323 million debit and\ncredit card transactions totaling more than $10.8 billion, including transactions\noriginating at traditional post offices, self-service centers, and the Internet; as well as\nmail and telephone orders. To meet updated performance, reliability, flexibility, and cost\nobjectives associated with debit and credit card transaction processing, the Postal\nService developed the Enterprise Payment Switch solution. This solution encompasses\nnew software applications and more than 20 pre-existing Postal Service and vendor\nsystems designed to work together to provide a secure processing environment for\nnearly all debit and credit card transactions. The Business Impact Assessment\nclassifies the Enterprise Payment Switch as xxxxxxxxxxxxxxxxxxxxxx. The Enterprise\nPayment Switch supports a broad range of electronic payment types including, but not\nlimited to, credit card, debit card, stored value, checks, and Internet payments.\n\nTo address the Value Proposition Agreement objective, we accomplished the project in\nmultiple phases and provided recommendations in four prior audit reports:3\n\n    \xef\x82\xb7   Phase I: Requirements and Design.\n    \xef\x82\xb7   Phase II: Preparation for Security Testing.\n    \xef\x82\xb7   Phase III: Security Testing.\n\nThe objective of Phase III included an evaluation of disaster recovery capabilities.\nHowever, xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. As a result, the OIG deferred an audit of disaster\nrecovery capabilities for the Enterprise Payment Switch to provide the Postal Service an\nopportunity to xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. This audit\nreport presents the results of Phase IV of the audit.\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of this audit was to determine whether disaster recovery capabilities of the\nEnterprise Payment Switch are in place and effective. To accomplish our objective we\nreviewed documentation and applicable policies and procedures, and interviewed key\nofficials assigned to the Information Technology Operations Portfolio and Corporate\nTreasury functions. We also examined other materials we deemed necessary. In\naddition, we reviewed the Payment Switch testing strategy,4 architectural diagram, test\nplans and results, and other information pertinent to the audit objective.\n\n\n\n3\n See Prior Audit Coverage for details of the reports and results.\n4\n Enterprise Payment Switch Security/Failover/Disaster Recovery Testing Strategy, Version 0.19, dated August 2,\n2007.\n\n\n\n\n                                                        5\n\x0c    Disaster Recovery Capabilities of the                                        IS-AR-09-009\n     Enterprise Payment Switch\n\n\n    We conducted this performance audit from February through July 2009 in accordance\n    with generally accepted government auditing standards and included such tests of\n    internal controls, as we considered necessary under the circumstances. Those\n    standards require that we plan and perform the audit to obtain sufficient, appropriate\n    evidence to provide a reasonable basis for our findings and conclusions based on our\n    audit objective. We believe the evidence obtained provides a reasonable basis for our\n    findings and conclusions based on our audit objective. We did not rely on computer-\n    generated data to support our audit findings. We discussed our observations and\n    conclusions with management on July 6, 2009, and included their comments where\n    appropriate.\n\n    PRIOR AUDIT COVERAGE\n\n                               Report\n    Report Title               Number        Final Report Date           Report Results\nEnterprise Payment          IS-AR-06-017    September 27, 2006   Management was designing\nSwitch Solution                                                  and developing the Payment\nPhase I:                                                         Switch solution with security\nRequirements and                                                 as a priority. However, we\nDesign                                                           xxxxxxxxxxxxxxxxxxxxxxxxxx\n                                                                 xxxxxxxxxxxxxxxxxxxxxxxxxx\n                                                                 xxxxxxxxxxxxxxxxxxxxxxxxxx\n                                                                 xxxxxxxxxxxxxxxxxxxxxxxxxx\n                                                                 xxxxxxxxxxxxxxxxxxxxxxxxx\n                                                                 Management concurred with\n                                                                 the findings and\n                                                                 recommendations.\nNational Customer           IS-AR-07-006    December 26, 2006    While conducting the Phase II\nManagement System                                                review, we xxxxxxxxxx\nEncryption                                                       Xxxxxxxxxxxxxxxxxxxxxxx\n                                                                 Xxxxxxxxxxxxxxxxxxxxxxx\n                                                                 Xxxxxxxxxxxxxxxxxxxxxxxxx\n                                                                 Xxxxxxxxxxxxxxxxxxxxxxx\n                                                                 Xxxxxxxxxxxxxxxxxxxxxxxxxx\n                                                                 Xxxxxxxxxxxxxxxxxxxx\n                                                                 Xxxxxxxxxxxxxxxxxxxxxxx\n                                                                 Xxxxxxxxxxxxxxxxxxxxx\n                                                                 xxxxxxxxxxx Management\n                                                                 concurred with the findings\n                                                                 and recommendations.\n\n\n\n\n                                                 6\n\x0c    Disaster Recovery Capabilities of the                                        IS-AR-09-009\n     Enterprise Payment Switch\n\n\n\n                               Report\n     Report Title              Number        Final Report Date            Report Results\nEnterprise Payment          IS-AR-07-007    February 23, 2007    Although the Postal Service\nSwitch Solution                                                  was developing the Payment\nPhase II: Preparation                                            Switch with security as a\nfor Security Testing                                             priority, management xxxxxxx\n                                                                 xxxxxxxxxxxxxxxxxxxxxxxxx\n                                                                 xxxxxxxxxxxxxxxxxxxxxxxxxx\n                                                                 xxxxxxxxxxxxxxxxxxxxxxxx\n                                                                 xxxxxxxxxxxxxxxxxxxxx\n                                                                 xxxxxxxxxxxxx We provided\n                                                                 three recommendations to\n                                                                 xxxxxxxxxxxxxxxxxxxxxxxxxx\n                                                                 xxxxxxxxxxxxxxxxxxxxxxxxx\n                                                                 xxxxxxxxxxxxxxxxxxxxxxxxx\n                                                                 xxxxxxxx. Management\n                                                                 concurred with the findings\n                                                                 and recommendations.\nEnterprise Payment          IS-AR-08-004    February 6, 2008     Management deployed the\nSwitch Solution                                                  Payment Switch solution in\nPhase III: Security                                              limited production xxxxxxx\nTesting                                                          xxxxxxxxxxxxxxxxxxxx\n                                                                 xxxxxxxxxxxxxxxxxxxxxxxx.\n                                                                 Management also xxxxxxx\n                                                                 xxxxxxxxxxxxxxxxxxxxxxxx\n                                                                 xxxxxxxxxxxxxxxxxxxxxxxx\n                                                                 xxxxxxxxxxxxxxxxxxxxxxxxxx\n                                                                 xxxxxxxxxxxxxxxxxxxxxx\n                                                                 xxxxxxxxxxxxxxxxxxxx\n                                                                 xxxxxxxxxxxxxxxxxx\n                                                                 Management concurred with\n                                                                 the findings and\n                                                                 recommendations.\n\n\n\n\n                                                  7\n\x0cDisaster Recovery Capabilities of the                                                             IS-AR-09-009\n Enterprise Payment Switch\n\n\n                               APPENDIX B: DETAILED ANALYSIS\n\nDisaster Recovery Plan\n\nRather than developing an ADRP for the Enterprise Payment Switch, the BCM and\napplication administrators informally agreed to use the test strategy as the disaster\nrecovery plan.\n\nAccording to Handbook AS-805 in place at the time we performed the audit fieldwork,5 a\ndisaster recovery plan must be created for all critical and business controlled criticality\ninformation resources. The handbook also states that an ADRP template is available\non the Information Technology website. Although we could not confirm whether the\ntemplate was available when management tested the Payment Switch application, we\nconfirmed that the ADRP template is currently unavailable.\n\nOn June 30, 2009, subsequent to our fieldwork, management released a new version of\nhandbook AS-805. Although the handbook no longer requires management to develop\nan ADRP, we believe doing so is imperative to ensure immediate and full recovery of\nthis critical application in the event of a disaster.6\n\nWe compared the testing strategy to other Postal Service disaster recovery plans7 and\nidentified several key attributes that were missing from the testing strategy. While the\nPayment Switch testing strategy addressed the disaster recovery testing objective,\nscope, environment, components, and testing approach, it did not include key elements\nof a comprehensive disaster recovery plan, such as:\n\n    1. Roles and responsibilities\n          a) Point of contact list (primary and secondary)\n          b) Recovery assessment team\n\n    2. Service restoration requirements\n          a) Disaster recovery components\n          b) Additional disaster recovery requirements\n\n    3. Recovery consideration\n         a) Level of emergency\n         b) Timing of event\n         c) Priority recovery listing\n\n\n\n\n5\n  Chapter 12, Disaster Recovery Planning, Section 12-5.1.\n6\n  We plan to incorporate a review of the updated version of Handbook AS-805 in a future audit.\n7\n  Host Computing Services Disaster Recovery Plan, Section 4.2.2 Procedures Mainframe \xe2\x80\x93 xxxxxxxxxxxxxxxxxx,\nVersion 1.0, dated September 12, 2008 and Business Information Systems Disaster Recovery Plan, Version 1.0,\ndated October 1, 2007\n\n\n\n\n                                                       8\n\x0cDisaster Recovery Capabilities of the                                           IS-AR-09-009\n Enterprise Payment Switch\n\n\n\n       4. Plan maintenance history\n\n       5. Reporting and documentation\n            a) Disaster recovery status report\n            b) Assessment and lessons learned report\n\n       6. Checklist for disaster recovery configurations\n\nFull Operational Recovery Testing\n\nManagement did not perform a full operational recovery test of the Enterprise Payment\nSwitch application. According to Handbook AS-805,8 management must test the ADRP\nfor critical and business-controlled criticality applications within 180 days of placing an\napplication into production. In addition, management must perform a full operational\nrecovery test of the disaster recovery plan for critical applications every 18 months.\nHowever, management xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxx the Payment Switch.\n\nIn the testing strategy, management xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. We confirmed these servers are\nnow installed and functioning at the xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nAlthough the BCM intended to test the xxxxxxxxxxxx, our review prompted the BCM to\nexpedite full operational recovery testing of the Enterprise Payment Switch application.\nIn May 2009, the BCM and application administrators completed a full operational test.\nThe application passed the testing requirements.\n\n\n\n\n8\n    Chapter 12, Section 12-5-2.1 (c) and (d).\n\n\n\n\n                                                9\n\x0cDisaster Recovery Capabilities of the                       IS-AR-09-009\n Enterprise Payment Switch\n\n\n                        APPENDIX C: MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n                                        10\n\x0cDisaster Recovery Capabilities of the        IS-AR-09-009\n Enterprise Payment Switch\n\n\n\n\n                                        11\n\x0c'